Information Governance and Data Security...
Transcript of Information Governance and Data Security...
Version 0.1 1 Date
RadfordMedicalPractice
INFORMATIONGOVERNANCEANDDATASECURITYPOLICY2019
DocumentHistoryVersionDate: October2018
VersionNumber: 1.0
Status: Final
NextRevisionDue: January2021
Developedby: PaulCouldrey(IGConsultant)
PolicySponsor: PracticeManager
Approvedby: DrKKaur/KarenMurch
Dateapproved: 19.2.19
Dateratified: RevisionHistoryVersion Revision
dateSummaryofChanges
1.0 08/02/18 FirstDraft1.1 19.2.19 Final
Version 0.1 2 Date
IntroductionRadfordMedicalPracticerecognisesthatinformationhasitsgreatestvaluewhenitisaccurate,uptodateandaccessiblewhereandwhenitisneeded.Inaccurate,outdatedorinaccessibleinformationthatistheresultofoneormoreinformationsecurityweaknessescanquicklydisruptordevaluecriticalprocesses.Informationunderpinsthedeliveryofhighqualityhealthcarecommissioningandmanyotherkeyservicedeliverables.Inaddition,thepublicisincreasinglyconcernedabouthoworganisationsarehandlinginformation;thepatientshavearighttoexpectustohandletheirdatainasafeandsecuremannerandcomplywithlegalandprofessionalresponsibilities.ThereisalegalrequirementforthepracticeasaPublicAuthoritytoaddresscompliancewiththeincomingGeneralDataProtectionRegulation(GDPR)by25May2018,andtheAssociatedUKspecificDataProtectionAct2018togetherwithassociated(tobepublishedNHSguidance).Aneffectiveinformationsecuritymanagementregimemustbeinplacetoensurethatinformationisappropriatelyprotectedandreliablyavailable.ThisdocumentsetsoutastrategicdirectionforinformationgovernancemanagementwithinthePractice.Thepolicyisbasedonanumberoflegalandbestpracticestandardsincluding:
• ISO27001,theinternationalstandardforinformationsecuritymanagementsystems(ISMS)• InformationSecurityManagement:NHSCodeofPractice• GeneralDataProtectionRegulation2016,DataProtectionAct2018,FreedomofInformation
Act2000,ComputerMisuseActandotherrelatedlawandregulation• HealthandSocialCareAct2013• NHSAct2006(s.251andassociatedCAGApprovals)• OfficeofGovernmentCommerce(OGC)Policies&standards
o InformationTechnologyInfrastructureLibrary(ITIL)o Communications-ElectronicsSecurityGroup(CESG)Guidanceo ManagementofRisk
ThePracticeiscommittedtoensuringthatthereisadequateprovisionforthesecuremanagementofinformationresourcesitownsorcontrols.The Practice recognises that information security is not simply about implementing Informationtechnologysolutions;itreflectsoverallmanagementandthecultureoftheorganisation.
Version 0.1 3 Date
Scope
Thispolicyrelatesto:• all informationthat isprocessedorheldduringthepracticebusinessoron itsbehalfbykey
providers;• thehandlingofallinformationthroughallrecognisedmeans;and• allinformationsystemspurchased,developedandmanagedbyoronbehalfofthePractice.
It alsoapplies toallmembersof staffemployedby,orworkingonbehalfof thePractice, includingcontracted,non-contracted,temporary,honorary,secondments,bank,agency,students,volunteers,locumsorthirdparties.The InformationGovernancePolicy recognises that thepractice isanorganisationworkingwithinanewandrapidlychangingcommissioningandinformationgovernancelandscape,especiallywiththeintroductionoftheGDPR.AssuchthePractice’spolicyisfocusedonsettingupandembeddingtherequired governance arrangements and doing this in such a way that the practice retains themaximumflexibilityandresiliencesothatitcanadapttothisenvironment.Thekeyelementsandresourcestosupportthedeliveryofthispolicyare:
• TheDataSecurityandProtectionsToolkit(2018);• InformationGovernanceManagementFrameworkandPolicy• GDPRPIDandImprovementPlans(HighLevelandOperational)• InformationGovernancePolicy;• InformationGovernancePolicies;
TheInformationGovernanceImprovementPlan,identifyingleadpracticeofficers,willbeagreedeachyear to ensure compliance against each of the requirements. This Plan forms part of the overallpracticeendorsedDataProtectionandConfidentialityPolicy.
Version 0.1 4 Date
Purpose
ThepurposeofthispolicyistodescribethemanagementarrangementsthatwilldeliverInformationGovernance assurance for the Practice. Information Governance is a framework that enables theorganisationtoestablishgoodpracticearoundtheprocessingofinformationanduseofinformationsystems, ensure that information is handled to ethical and quality standards in a secure andconfidential manner, promote a culture of awareness and improvement, deliver its corporateobjectivesandcomplywithlegislation,statutoryrequirementsandothermandatorystandards.
The InformationGovernanceManagement Framework (IGMF)will underpin thePractice’s strategicgoalsandensurethattheinformationneededtosupportanddelivertheirimplementationisreadilyavailable,accurateandunderstandable.InformationGovernancehasfourfundamentalaims:
• Tosupporttheprovisionofhigh-qualitycarebypromotingtheeffectiveandappropriateuseofinformation;
• Toencourageresponsiblestafftoworkcloselytogether,preventingduplicationofeffortandenablingefficientuseofresources;
• To develop support arrangements and provide staff with appropriate tools and support toenablethemtocarryouttheirresponsibilitiestoconsistentlyhighstandards;
• To enable the practice to understand its own performance andmanage improvement in asystematicandeffectivemanner.
The Practice has a statutory responsibility to patients and the public to ensure that the services itprovides have effective policies, processes and people in place to deliver objectives in relation toholdingandusingconfidentialandpersonalinformation.BroadObjectives
Version 0.1 5 Date
The Practice will ensure there is a systematic and planned approach to the management ofinformationgovernancebyestablishingan InformationSecurityManagementSystem (ISMS) in linewithISO27001andInformationSecurityManagement:NHSCodeofPractice.
• Theeffectivenessof the ISMSwillbecontinually improved through theuseofaudit results,analysisofincidents,correctiveandpreventiveactionsandmanagementreviews.
• Allimportantinformationassetswillbeidentifiedandappropriatelymanagedandprotected.
Anyprotectionappliedwillbebasedonformallydocumentedriskassessmentstoensurethatitiscommensuratewiththevalueoftheassetandtheperceivedthreats.
• Actualandpotentialinformationgovernancerelatedincidentswillberecordedandresponded
toinatimelyandappropriatemanner;findingswillbefedintotheISMStoensurecontinuedandongoingimprovements.
Version 0.1 6 Date
• Steps will be taken to ensure that internal and external transfers of patient confidentialinformation are conducted in a secure and safe manner, this will include, for example,encryptionofemailsandremovablemediaholdingpersonalinformation(asmandatedbytheCabinetOfficeInformationGovernanceAssuranceProgrammein2008).
• All staff, contractors and other relevant parties will be made aware of the organisations
requirementsforinformationsecurityandundertakeappropriatetraining.
• Acultureofinformationsecurityawarenesswillbepromotedandestablished.
• Procedures will be established to ensure that information governance requirements areaddressed during the implementation, development and maintenance of services and/orsystems.
• Businesscontinuityplanswillbedevelopedacrossallservicestoensurethecentreisableto
continuewithitscorebusinessfunctionsintheeventofafailureorlossofsystemsorservices.Appropriate procedureswill be developed to ensure the timely recovery or replacement ofinformationsystemsandservices.Theplanswillberegularlytestedandrevised.
• Systemsandserviceswillberegularlyauditedagainstinformationgovernancerelatedpolicies
and procedures. The results of such audits will be fed into the ISMS, the InformationGovernance work-plan and information risk registers to ensure continued and ongoingimprovement.
InformationSecurityManagementSystem(ISMS)ThePracticerecognisethateffectiveinformationsecurityinvolvesmorethansimplyinstallingsecurityproducts such as anti-virus software and providing a security policy. The practicewill establish anISMS,whichwill provide ameans to identify and co-ordinate the approach to themanagementofinformationsecuritywithinthepracticeinordertoprotectit,anditsbusiness.TheISMSwillbebasedontheNHSInformationSecurityManagementFramework. The governing principle behind the ISMS is the design, implementation and maintenance of acoherent set of policies, processes and systems to manage risks to its information assets, thusensuringacceptablelevelsofinformationsecurityrisk.Based on this risk approach,wewill establish, implement, operate,monitor, review,maintain andimproveinformationsecurityforallorganisationswithinthePractice.
Version 0.1 7 Date
TheCoreElementsofaneffectiveInformationSecurityManagementSystemaresummarisedinthefollowingPlan-Do-Check-Actmodel.
PLAN-EstablishtheISMS
• DefinethebusinessneedsforinformationsecurityandsetthoseoutinacorporateInformationSecurityPolicy
• IdentifyandassesstheriskstoInformationSecurity
• Identifyandevaluatecontrolstobeestablishedtomanagetheinformationsecurity
risksidentified,transfertherisksoracceptthemasappropriate.DO-ImplementandoperatetheISMS
• Developandimplementactionplanstomanagetheidentifiedinformationsecurityrisks
• Implementtrainingandawarenessforallrelevantstaff
CHECK-MonitorandreviewtheISMS
• Establishprocesses to identify actual andpotential information security incidentsorsystemweaknesses
• Monitorandupdateinformationsecurityriskassessmentsasrequired
Version 0.1 8 Date
• Monitor the effectiveness of the ISMS in managing information risks throughinternalreviewsandindependentaudit.
• Reporttheresultstomanagementforreview.
ACT-MaintainandimprovetheISMS
• Takecorrectiveandpreventativeactions,basedontheresultsofauditsandmanagementreviewsorotherrelevantinformation,toachievecontinualimprovementoftheISMS.
Followingtheprinciplesoftheabovemodel,anInformationGovernanceWork-planforthepracticewillbecreated.ThisencompassestherequirementsoftheDS&PToolkit,legalandNHSrequirementsand the results of audits and risk assessments. The work-plan will be carefully monitored andregularly reviewed and revised, to ensure it continues to meet the information governancerequirementsofthepracticeandensurecontinuousimprovement.GovernanceArrangementsMeetingswillbeheldevery6monthswiththeCaldicottGuardian,SIRO,IGleadandAdminLead.Thegroupwillperformthefollowingfunctions:
• Developandmaintain the informationgovernancepolicyandsupportingpolicies,proceduresandguidelines.
• Conduct regular audits to review the effectiveness of the implementation of the
informationgovernancepolicy.
• Providecleardirectionandvisiblemanagementsupportforsecurityinitiatives.
• Identifytheresourcesneededforinformationgovernance.
• Approve assignment of specific roles and responsibilities for informationgovernanceacrossthePractice.
• Initiateplansandprogrammestomaintaininformationsecurityawareness.
Version 0.1 9 Date
• Ensure that the implementation of information security controls is coordinatedacrossthePractice.
• Take appropriate action and implement any necessary changes to policy or
proceduresinresponsetotheresultsofauditsorincidents.
• Continuallymonitorandassessrisks,ensuringappropriateandtimelyresponsestochangingandemergingthreats.
InformationGovernanceDefinition
Information Governance is “a framework for handling information in a confidential and securemanner to appropriate ethical andquality standards inmodernhealth services”. It brings togetherwithin a singular cohesive framework, the interdependent requirements and standards of practice.ThispolicyformspartofthePractice’soverallPracticeAssuranceFramework.
IGisdefinedbytherequirementsthattheorganisationisrequiredtodemonstratecompliancewithaspartoftheDS&Ptoolkitfrom2018,theseincludethefollowingdomains:
• InformationGovernanceManagement• ConfidentialityandDataProtectionAssurance• InformationSecurityAssurance• ClinicalInformationAssurance• SecondaryUseAssurance
Withinthisdefinitionanddomainsthepracticewillhandleandprotectmanyclassesofinformation:
• Some information is confidential because it contains personal details the practice mustcomply with regulation which regulates the holding and sharing of confidential personalinformation.ChangestothewayinwhichpatientconfidentialdatacanbeprocessedcameaboutasaresultoftheHealth&SocialCareAct2012. It is importantthatrelevant,timelyandaccurateinformationisavailabletothosewhoareinvolvedinthecareofserviceusers,but it is also important that personal information is not shared more widely than isnecessary;
• Some information isnon-confidentialand is for thebenefitof thepracticeandthegeneralpublic and its employees share responsibility for ensuring that this type of information isaccurate,uptodateandeasilyaccessibletothepublic;
• Themajority of information about the practice and its business should be open to publicscrutinyalthoughsome,whichiscommerciallysensitive,mayneedtobesafeguarded.
Informationcanbeinmanyforms,including(butnotlimitedto):
Version 0.1 10 Date
• Structuredrecordsystems–paperandelectronic;• Transmissionofinformation–fax,e-mail,postandtelephone;and• Allinformationsystemspurchased,developedandmanagedby/oronbehalfofthePractice.
Aims&Objectives
TheIGPolicyofthepracticewillbebaseduponavisionofa long-termdeliveryofclear,openaimsandobjectivestoensurethat:
• Thepracticecomplieswithallstatutoryrequirements;• The practice has an information governance policy that supports the achievement of
corporateobjectives;• Thepracticecandemonstrateaneffective framework formanaging informationgovernance
assurance;• Staffareawareoftheirresponsibilitiesandtheimportanceofinformationgovernance;• Informationgovernancebecomesasystematic,efficientandeffectivepartofbusinessasusual
forthePractice,• Informationgovernanceisintegratedintothechangecontrolprocess;• Thereareeffectivemethodsforseekingassuranceacrosstheorganisation;• ThePracticecandemonstratethattheinformationgovernancearrangementsoforganisations
itcommissionsservicesfromacrosshealthcareandcommissioningsupportareadequate;• Thepolicy isable to respond toanychange requiredbyexternalbodiesandanychallenges
emergingfromchangestotheinformationgovernancelandscape.
An outline of the high-level IG organisational objectives that the practice seeks to achieve is asfollows:
• Complywiththerelevantinformationprivacyandconfidentialitylawsandregulationsaswellas contractual requirements and internal policies on information and systems security andprotection,andprovidetransparencyonthelevelofcomplianceviatheDS&PToolkit;
• Maintain information riskatacceptable levelsandprotect informationagainstunauthoriseddisclosure,unauthorisedorinadvertentmodifications,andpossibleintrusions;
• Addresstheincreasingpotentialforcivilorlegalliabilityimpactingtheorganisationasaresultof information breaches through efficient and effective risk management, processimprovementandrapidincidentmanagement;
• Provide confidence in interactions with key external organisations – for example, Acute &CommunityProviders,customers,NHSEngland,NHSDigital,Monitors,CommissionersandtheCQC.
• Create,maintainandcontinuouslyimprovetrustfromcustomersandthepublic;
Version 0.1 11 Date
• Provideaccountabilityforsafeguardingpatientandothercriticalinformation;and
• Protecttheorganisation’sreputation.
These aims and objectives will be achieved by ensuring the effectivemanagement of InformationGovernanceby:
• Ensuring that the practice meets its obligations under the Data Protection legislation, theHumanRightsAct1998,theFreedomofInformationAct2000andtheHealthandSocialCareAct2012;
• Establishing, implementing and maintaining policies for the effective management ofinformation;
• Ensuring that information governance is a cohesive elementof the internal control systemswithinthePractice;
• Recognisingtheneedforanappropriatebalancebetweenopennessandconfidentialityinthemanagementofinformation;
• Ensuring that information governance is an integral part of the practice culture and itsoperatingsystems;
• EnsuringmaintenanceofyearonyearimprovementwithintheDS&PToolkitsubmission;• Reducingduplicationandlookingatnewwaysofworkingeffectivelyandefficiently;• Minimisingtheriskofbreachesofpersonaldata;• Minimisinginappropriateusesofpersonaldata;• Ensuring that Service Level Agreements between the practice and other organisations are
managedanddevelopedinaccordancewithInformationGovernancePrinciples;• EnsuringthatcontractedbodiesaremonitoredagainstInformationGovernancestandards;• Protectingtheservices,staff, reputationandfinancesof thepracticethroughtheprocessof
earlyidentificationofinformationrisksandwheretheserisksareidentifiedensuringsufficientriskassessment,riskcontrolandeliminationareundertaken;
• Ensuring there is provision of sufficient training, instruction, supervision and information toenableallemployeestooperatewithininformationgovernancerequirements,includingthoseundertakingspecialistroles;
• Ensuring the information governance policy and related plans link to and support othercorporateorstrategicobjectives,e.g.businesscontinuityplanning,andensuringthepracticeis able to meet its commitments under the Civil Contingencies Act 2004 (specifically theEmergencyPreparedness,Resilience&Responseassuranceprocess).
Version 0.1 12 Date
Rolesandresponsibilities
Information Governance Steering Group
The Information Governance Steering Group will be established to support and drive the broader information governance agenda and provide the partners with the assurance that effective information governance best practice mechanisms are in place within THE PRACTICE.
The IGSG will meet every 6 months and will be Chaired by the SIRO. The Group will:
• be accountable to the Senior partners • support the practice SIRO and the practice Caldicott Guardian in their roles; • monitor information governance performance annually using the DS & P Toolkit hosted by
NHS Digital (NHSD); • provide audited toolkit Results to the partners for approval prior to final submission to the
NHSD; • be responsible for overseeing operational information governance issues; • develop and maintain policies, standards, procedures and guidance; • co-ordinate and monitor the implementation of the information governance policy, framework
and policies across the Practice; In addition to the SIRO, the membership of the IGSG will include the following:
• Senior Information Risk Owner (SIRO) • Caldicott Guardian • General Manager
(Terms of Reference in Appendix 1)
Individualroles
SeniorInformationRiskOwner(SIRO)–PaulCouldrey
The SIRO for The Practice, holds responsibility for ensuring that information is processed and heldsecurely throughout the Practice. The role covers all the aspects of information risk, theconfidentialityofpatientandserviceuserinformationandinformationsharing.TheDataProtectionand Security Toolkit sets out clear responsibilities of the SIRO in relation to risks surroundinginformation and information systems, which also extend to business continuity and the role ofInformationAssetOwners.
Inparticular,theSIROisresponsiblefor:
• leadingand fosteringaculture thatvalues,protectsanduses information for thesuccessofthepracticeandbenefitofitsserviceusers;
Version 0.1 13 Date
• owning the Practice’s overall information risk policy and risk assessment processes andensuringtheyareimplementedconsistentlybyInformationAssetOwners(IAO’s);
• takeownershipof informationriskassessmentprocesses, includingthereviewoftheannualinformationriskassessmentandagreeactionsinrespectofanyrisksidentified;
• ensure that The Practice’s approach to information risk is effective in terms of resources,commitmentandexecutionandthatthisiscommunicatedtoallstaff;
• EnsureInformationAssetOwners(IAOs)undertakeriskassessmentsoftheirassets;
• BeresponsiblefortheIncidentManagementprocessensuringidentifiedinformationsecurityrisksareaddressedandanylessonslearntareimplemented;
• Provide a focal point for themanagement, resolution and/or discussion of information riskissues;
• EnsurethatthePractice’sapproachtoinformationriskiseffectiveinitsdeploymentintermsofresource,commitmentandexecutionandthatthisiscommunicatedtoallstaff;
• EnsuretheorganisationisadequatelybriefedoninformationriskissuesDataProtectionOfficer–PaulCouldrey
• PaulCouldreyofPCIGConsultingLimitedwillactastheDPOforthePractice.ThisroleiskeyinensuringthatthePracticecompliesandcandemonstratethattheycomplywithGDPR.
Version 0.1 14 Date
CaldicottGuardian–DrKKaur
TheCaldicottGuardianisresponsibleforactingasachampionfordataconfidentiality. Theyshouldensure that confidentiality issues are appropriately reflected in practice policies and workingprocedures for staff and oversee all arrangements, protocols and procedures where confidentialinformationmaybesharedwithexternalbodiesincludingdisclosurestootherpublicsectoragenciesandotheroutsideinterests.
TheCaldicottGuardianisresponsiblefor:
• ensuring that the practice satisfies the highest practical standards for handling patientinformation;
• ensuringconfidentiality is reflectedappropriately inTHEPRACTICE’spoliciesandprocedurestosupportthelawfulandethicalprocessingofinformation;
• actingasthe‘conscience’ofTHEPRACTICE;• ensuring that staff complywith Caldicott Principles and the guidance contained in theNHS
ConfidentialityCodeofPractice;• facilitating,enablingandoverseeinginformationsharingagreementsandarrangementsputin
placetosharepersonalconfidentialdatawithexternalbodies.
IGLead–KarenMurchThenominatedIGleadisthePracticeManager.TheIGLeadhasresponsibilityforprojectmanagingthe overall co-ordination, publicising andmonitoring the Practice IG framework. The IG Lead hasspecificresponsibilityforthedevelopmentofthispolicy,producingreportsandDS&PTtoolkitreturns.InformationAssetOwners
The Information Asset Owners (IAO) will be senior members of the practice staff responsible forinformationassetswithintheirremit.TheywillprovideassurancetotheSIROthatinformationriskismanagedeffectivelyfortheirinformationassists.Thiswillbeachievedby:
• EnsuringallInformationAssetsandflowsofdatawithintheirremitareidentifiedandloggedensuringeachhasalegalbasistobeprocessed.
• Identifying,managingandescalatingall informationsecurity(forexample,dependenciesandaccesscontrol)andinformationrisksasappropriate.
• Supporting Information Asset Administrators who will ensure the above takes place. Thedetailed roles and responsibilities are defined in Appendix A of the NHS Information RiskManagementGuidance
• Ensuring that information risk assessments are performed on all information assets wheretheyhavebeenassigned ‘ownership’andprovideassurancetotheSIROonthesecurityanduseoftheseassets;
Version 0.1 15 Date
• Knowingwhatinformationisheldandforwhatpurpose;• Ensuringthatinformationgovernancepoliciesandsystemlevelproceduresarefollowed.
Version 0.1 16 Date
Allstaff(andThirdParties)
All those working for the practice have legal obligations, under the Data Protection legislation,commonlawdutyofconfidentiality,andprofessionalobligations,forexampletheConfidentialityNHSCode of Practice and professional codes of conduct. These are in addition to their contractualobligationswhichincludeadherencetopolicy,andconfidentialityclausesintheircontract.The same responsibilities apply to thoseworking on behalf of the organisationswhether they arevolunteers, students, work placements, contractors or temporary employees. Those working onbehalf of the organisation are required to sign a third-party agreement outlining their duties andobligations.Breachesof any law, contract, codeofpracticeor confidentiality agreementwill be reportedusingappropriatechannelsandactiontakenwherenecessary.
DataSecurityandProtectionToolkit
CompletionoftheDataSecurityandProtectionToolkit ismandatoryforallorganisationsusingNHSMailandprovidingNHSservices. TheToolkit coversmost statutory, common lawandprofessionalrequirements,aswellastraining,assuranceprocessesandchangecontrolprocesses.Annualimprovementplanswillbedevelopedeachyeartoensurethepracticeachievesasatisfactorylevel in all requirements. As the DS&P is publicly available, assessment scores of partnerorganisationswill be used to assess their suitability to share information and to conduct businesswith.
ThePractice’sprogresswillbereportedtothePartnersatregularintervalsbytheSIRO.Compliancewith the Toolkit will provide assurance to the Partners that the majority of strategic informationgovernanceobjectivesarebeingmet.
ThepracticewillcomplywiththeNHSDdeadlinesforsubmissionofupdatesandfinalassessment.
Version 0.1 17 Date
IGPolicies
Thepractice iscommittedtoensuringthat itspolicies followtheHORUSmodelasproposedbytheDepartment of Health to ensure compliance with legislation, including the GDPR 2016 and DataProtectionAct2018.Theprinciplesofthismodelarethatinformationis:
• Heldsafelyandconfidentially;• Obtainedfairlyandlawfully;• Recordedaccuratelyandreliably;• Usedeffectivelyandethically;• Sharedanddisclosedappropriatelyandlawfully.
Todeliverthismodel,thepracticewillensurethat:
• policies and procedures are in place to facilitate compliance with all relevant legislation,regulationsandduties;
• compliance with the Data Protection Act 2018 is maintained when handling PersonalConfidentialData,exceptwherethereisalegalrequirementtooverridetheAct;
• information is appropriate for the purpose intended and that at all times the integrity ofinformationisdeveloped,monitoredandmaintained;
• information made available for operational purposes is maintained within set parametersrelatingtoitsimportanceviaappropriateproceduresandcomputerresiliencesystems;
• allidentifiableinformationrelatingtopatientsisregardedasconfidential;• allidentifiableinformationrelatingtostaffisregardedasconfidential,exceptwherenational
policyonaccountabilityandopennessrequiresotherwise;• whenpersonidentifiabledataisshared,thesharingcomplieswiththelaw;• guidanceandbestpracticeandbothserviceuserrightsandpublicinterestarerespected;• non-confidential informationrelatingtothePracticeanditsservicesismadeavailabletothe
public through a variety of media, in line with the Freedom of Information Act andEnvironmentalInformationRegulations;
• will have clear procedures and arrangements for liaison with the press and broadcastingmedia;
• patientsand serviceuserswill haveaccess to information relating to theirownhealth care,optionsandtreatmentandtheirrightsaspatients;
• undertakeorcommissionannualauditsofcompliancewithlegalrequirements;• information and IT security, information quality and recordmanagement requirements are
metinaccordancewiththeDS&PToolkit;• therolesandresponsibilitiesidentifiedwithintheIGFrameworkareintegratedandembedded
withintheorganisation;• proceduresfortheeffectiveandsecuremanagementofits informationassetsandresources
areestablishedandmaintained;• informationismanagedthroughout its lifecycleofcreation,retention,maintenance,useand
disposal;
Version 0.1 18 Date
• procedures for information quality assurance and the effectivemanagement of records areestablishedandmaintained;
• information iseffectivelymanagedso that it isaccurate,up-to-date, secure, retrievableandavailablewhenrequired;
• incident reporting procedures, which includes the investigation of all reported instances ofactualorpotentialbreachesofconfidentialityandsecurityareestablishedandmaintained;
• RiskManagementandreportingproceduresareestablishedandmaintained,andwillhaveinplaceriskcontrolsandmonitoringprocessesallreportedinformationrisks;
• relevant instruction and training is provided to all staff through induction and thereafterannuallyinrelationtothispolicy.
IGResources
TheInformationGovernancePolicyandFramework isenactedthroughtheInformationGovernanceImprovementPlan.Thiscoversmajorelementsofinformationgovernanceimplementation,including:
• CompletionoftheDS&PToolkit;• Implementationofrelevantpoliciesandprocedures;• Informationflowmapping;• Informationassetregisterandassetriskassessments;• Incidentreportingandmanagement;• Mandatoryandspecialisttraining;• AnnualassurancestatementsfromIAOstotheSIRO,andonwardstothepartners
TheIGSGwillidentifyanypolicyassociatedresourceimplicationsincurredbytheimplementationoftheInformationGovernanceimprovementplan.Businesscaseswillbedevelopedtodeliverspecificinitiativesofprojects(ifnecessary).
IncidentReporting&Management
Incidentsmust be reported andmanaged through established processes. Significant issues will besubject to full investigation and reporting action. Incidents relating to personal informationwill bereportedtotheCaldicottGuardianwhilst thoseofamorecorporatenaturewillbereportedtotheSIRO.
ThePracticewillput inplacesuitablemechanisms toensurestaff identifyandmanage informationrisksinlinewithexistingriskmanagementpolicyandprocesses.All informationgovernance incidentsmustbe reportedas soonas theyaredetected inaccordancewithThePractice’sIncidentReportingandManagementprocedure.
InformationSecurity
Version 0.1 19 Date
With the increasinguseofelectronicdataandwaysofworkingwhich relyon theuseofelectronicinformationandcommunicationsystems todeliver services, there isaneed forprofessionaladviceandguidanceontheiruseaswellastheneedtoensurethattheyaremaintainedandoperatedtotherequiredstandardsinasafeandsecureenvironment.
RiskManagement
TheabilitytoapplygoodriskmanagementprinciplestoIGisfundamentalandthePracticewillapplythemthroughorganisationalpolicies.RiskassessmentwillalsobeincludedaspartoftheInformationAssetOwnersrole.AnyinformationflowsfromorintoidentifiedinformationassetswillberiskassessedandtheresultsreportedtothePracticeSIROforriskmitigation,acceptanceortransfer.
LegalCompliance
The Data Protection legislation (GDPR and DPA1998/2018) is the most fundamental piece oflegislation that underpins InformationGovernance. The practice is registeredwith the InformationCommissionersOfficeandwill fullycomplywithall legal requirementsof the law.AprocesswillbeadoptedtoensurethatareviewofallofnewsystemsiscarriedoutandwhererequirementssuchastheneedforPrivacyImpactAssessments(PIA)arehighlightedthesewillbecompleted. ThiswillbeincludedintheIGservicespecification.
TrainingandStaffSupport
Fundamental to the success of delivering the Information Governance Policy is developing anInformationGovernance culturewithin thePractice.Awareness and trainingwill beprovided to allstaffthatutiliseinformationintheirday-to-dayworktopromotethisculture.Inordertoachievethis,theIGSGwillensure:
• all staff complete an Induction sessionwhen they first start employmentwhichwill includeInformation Governance. In subsequent years all staff are required to complete furtherInformationGovernancetrainingassetoutone-learningforhealth.ThisisanannualexerciseandisrequiredtomeetasatisfactorylevelwithintheDS&Ptoolkit;
• specificmodulesavailablefortheCaldicottGuardian,SIRO, IAOsandIGstaffthemselvesarecompleted;
• allstaffundertakeanannualtrainingneedsanalysisandanyrecommendationsidentifiedwillbecompliedwithbystaff;
• keepallstaffinformedofcomplianceandstandardssettosupportthispolicyviastaffbulletinsandwherenecessaryInformationGovernancespecificmessages;
• implementstaffsurveystoassesslevelsofunderstandingandensurestaffarefullyawareoftheirresponsibilities;
Version 0.1 20 Date
• provide staffwith theopportunity todevelopmoredetailedknowledgeandappreciationoftheroleofinformationgovernancethrough:
• IGPoliciesandthispolicy;• Induction,mandatoryandrefreshertraining;• Linemanagersupport;• Specifictrainingcoursesforspecialistroles.
Implementation&Dissemination
ThispolicyonceapprovedbythePartnerswillbesharedwithallmembersofstaff.Ateambriefingwillalsobeprovidedtosupportthisdissemination.TheimplementationofthisIGpolicyandIGToolkitimprovementplanwillensurethatinformationismoreeffectivelymanagedinthePractice.Tosupportthispolicy,thePracticewill implementkeyIGpoliciesandwillensurethatstaffabidebythese.Each year the IG policy will be reviewed, and a revised DS&P Toolkit improvement plan will bedevelopedagainsttheDS&PToolkitattainmentlevelsandscores,thusidentifyingthekeyareasforaprogrammeofcontinuousimprovement.
Policy,ProtocolandProcedureDistribution
Allemployee-basedpolicies,protocolsandprocedureswillbemadeavailableonthepracticeshareddrive and will be highlighted in staff briefings. Knowledge of the key details of InformationGovernance related policies will be tested through the use of the online Information Governancetrainingtool,andtheuseofstaffsurveysand/orconfidentialityauditstotestknowledgeinparticularareas.
MonitoringandReview
Thispolicywillbereviewedonthefirstanniversaryfollowingitsadoptionandsubsequentlyeverytwoyearsuntil rescindedor superseded.Anearlier reviewof thisdocumentmaybeundertaken in theeventof:
• Legislativeorcaselawchanges;• Changesorreleaseofgoodpracticeorstatutoryguidance;• Identifieddeficiencies,risksorfollowingsignificantincidentsreported;• Changestoorganisationalinfrastructure.
Version 0.1 21 Date
• Newvulnerabilities;• Practicechangeorchangeinsystem/technology;• Changingmethodology.
PerformanceIndicators
TheDS&PToolkit submission is amandatory annual return; the criteria for complianceare setoutwithin the relevant Toolkit. The successful implementation of Information Governance across theorganisationwillbereflectedintheachievementlevelproducedfromtheannualToolkitsubmission.
PerformanceagainstthispolicywillbemonitoredagainsttheDS&PToolkitrequirementsbytheIGSG,andescalatedtothePartners.ThelevelofassurancewillbesubmittedofficiallyviatheInformationGovernanceToolkitonanannualbasis.InternalReporting
Formal reporting will be managed through the IGSG group. The Practice Manager will establisheffective reporting arrangements with the partners to ensure the practice is receiving ongoingassuranceof their IG performance anduse these reports as anopportunity to quickly identify andescalateanyissuesorrisksatanearlystage.
KeyLegislation&Guidance
Thispolicyshouldbereadinconjunctionwiththefollowing:
• ConfidentialityandDataProtection• CodeofConduct(inrespectofconfidentiality)• IGTraining• InformationSharing• PrivacyImpactAssessments• InformationSecurity/Safehaveprocedures• InformationRiskassessmentandManagementProgramme• RecordsManagement• SubjectAccessRequests• IGIncidentManagement• MobileMedia/SocialNetworking• FreedomofInformation
Keylegislationincludes:
Version 0.1 22 Date
• AccesstoHealthRecordsAct1990• ComputerMisuseAct1990• DataProtectionAct1998/2018• GeneralDataProtectionRegulation2016• FreedomofInformationAct2000• CivilContingenciesAct2004• HealthandSocialCareAct2012• FraudAct2006• NHSAct2006
FurtherReferences(ifnotincludedabove)
Thefollowingreferencescanbeaccessedviathelinksprovided:•DataProtectionAct1998availablefromwww.opsi.go.uk•AccesstoHealthRecordsAct1990availablefromwww.opsi.go.uk•HumanRightsAct1998availablefromwww.opsi.go.uk•FreedomofInformationavailablefromwww.opsi.go.uk•EnvironmentalInformationRegulationshttp://www.ico.org.uk/for_organisations/environmental_information/guide•RecordManagementavailablefromhttp://www.nationalarchives.gov.uk/information-management/projects-andwork/information-records-management.htm•CommonLawofConfidentiality•NHSConfidentiality-codeofpracticeavailablefromhttps://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice•CalidicottReportavailablefromhttps://www.gov.uk/government/publications/the-information-governance-review•TheHealthandSocialCareActhttp://www.legislation.gov.uk/ukdsi/2013/9780111533055•CrimeandDisorderAct1998http://www.legislation.gov.uk/ukpga/1998/37/contents•ProtectionofChildrenAct1999http://www.legislation.gov.uk/ukpga/1999/14/contents
EqualityandDiversityStatementTheorganisationaimstodesignandimplementservices,policiesandmeasuresthatmeetthediverseneedsofourservice,populationandworkforce,ensuringthatnoneareplacedatadisadvantageoverothers.
Version 0.1 23 Date
AllpoliciesandproceduresaredevelopedinlinewiththePractice’sEqualityandDiversitypoliciesandneed to take intoaccount thediverseneedsof thecommunity that is served. TheEquality ImpactAssessment tool is designed to help consider the needs and assess the impact of the policy beingdeveloped.Thepracticeiscommittedtoensuringthatittreatsitsemployeesfairly,equitablyandreasonablyandthatitdoesnotdiscriminateagainstindividualsorgroupsonthebasisoftheirethnicorigin,physicalormentalabilities,gender,age,religiousbeliefsorsexualorientation.
Version 0.1 24 Date
APPENDIX1
RadfordMedicalPracticeINFORMATIONGOVERNANCESTEERINGGROUP
TERMSOFREFERENCE
9 1.0 TITLE&FORMATIONInformationGovernanceSteeringGroup(IGSG)Formed:10 2.0 STATUS&DELEGATEDAUTHORITY
2.1 TheInformationGovernanceSteeringGroupisaformalcommitteeofthePractice.TheGroupisauthorisedtomakedecisionswhichare:
(i) WithintheseTermsofReference(ii) Specificallyreferredbythepartners
2.2 Allproceduralmattersinrespectofconductofmeetingsshallfollowthe
practicepolicy.
2.3 TheInformationGovernanceSteeringGroupisauthorisedbythepartnerstocarryoutanyactivitywithinitstermsofreference.ItisauthorisedtoseekclarificationandfurtherinvestigationofanyInformationGovernance(IG)relatedmatter,andtorequestanyrelevantinformationfromanyemployee.
2.4 TheInformationGovernanceSteeringGroupisauthorisedbythepartnerstoobtainoutsideorotherindependentprofessionaladvicewithrelevantexperienceandexpertiseifrequired.
2.5 TheGroupmayrecommendactionswhichrequirefinancialexpenditurebuttheGroupitselfdoesnothaveanydelegatedpowersofexpenditure,asthisrestswiththerelevantbudgetholder.
2.6 TheGroupmayestablishsuchworkinggroupsorprojectteamsasitconsidersappropriatetosupportitsobjectivesandduties.Anygrouporprojectteam so established shall have terms of reference, including reportingarrangements,approvedbytheInformationGovernanceSteeringGroup.11 3.0 OBJECTIVES
3.1 TheoverallobjectiveoftheGroupisto:
Version 0.1 25 Date
Ensurethatthereareeffectivestrategies,structures,policiesandsystemsinplacetomeettheInformationGovernanceRequirementsandAgenda.
InformationGovernanceisdefinedasaframeworkforhandlingpersonalandcorporateinformationinaconfidentialandsecuremannertoappropriateethicalandqualitystandardsinamodernhealthservice.
3.2 Infulfillingtheobjectiveunder3.1above,theGroupshall:
(i) bemindfuloftheprinciplesofintegratedgovernanceandwhere
necessaryidentify,considerandcommunicaterisksandimpactsthatmayextendtothewiderorganisationandwhicharisethroughtheexerciseofitsdelegatedfunctions.
(ii) linkitsprogrammeofworktothestrategicobjectivesofthepractice12 4.0 ACCOUNTABILITY
4.1 TheInformationGovernanceSteeringGroupisaccountabletothePartners
4.2 ThenominatedSeniorInformationRiskOwner(SIRO)willactasanadvocateforinformationriskininternaldiscussions.TheSIROisresponsibleforprovidingwrittenadvicetotheSeniorPartnersonthecontentoftheAnnualGovernanceStatement(AGS)inregardtoinformationrisk.
4.3 TheInformationAssetOwners’roleistounderstandandaddressriskstotheinformationassetsthey‘own’;andtoprovideassurancetotheSIROonthesecurityanduseoftheseassets.
Version 0.1 26 Date
13 5.0 MEMBERSHIP&ATTENDANCE
5.1 Fullmembers(withvotingrights):
• SeniorInformationRiskOwner(SIRO)• CaldicottGuardian• GeneralManager•
5.2 TheGroupwillbechairedbytheSeniorInformationRiskOwner
(SIRO).TheViceChairwillbetheCaldicottGuardian
5.3 Additionalmemberswithspecificexpertisemaybeco-optedtotheGroupasrequired.
5.4 MembersshallbeassumedtobeattendingameetingoftheGroupunlessapologiesaresentinadvancetothesecretary.Ifafullmembercannotattendandifreasonablypossible,theyshouldappointasuitablybriefeddeputytoattendontheirbehalf.Deputiesshallcontributetothequorumandshallhavevotingrightsasperfullmembers.
5.5 ThePracticeManagershallensurethatarrangementsareinplacefortheprovisionofadministrativesupporttotheGroup.
6.1 DUTIES
ThedutiesoftheGroupareto:
• WorkonbehalfofthePartnerstoensurethepracticecomplies
withtheInformationGovernanceandrecord-keepingelementsofnationalstandardsandcriteriaincluding:
o InformationGovernanceToolkitStandardso NHSLitigationAuthorityRiskManagementStandardso CareQualityCommissionStandardso NHSOperatingFrameworko Developactionplanstoensurecompliancewiththesestandards.o Seekassurancearoundcomplianceandcompleted
recommendations
• EstablishanInformationGovernanceimprovementplantosecurethenecessaryimplementationofresourcesandmonitortheimplementationofthatactionplan.
Version 0.1 27 Date
• ToreviewandapprovePracticeInformationGovernancepoliciesonbehalfofthePartners
• Considerseriousbreachesofconfidentialityandinformation
securityandwhereappropriateundertakeorrecommendremedialaction.
• ToreviewtheanalysisandmanagementofInformation
Governanceincidentsandpreventedincidentstoensurethatanyqualityissueshavebeenidentifiedandremedialactionstakentoprotectpatientsandtheorganisationandthatanylessonslearnt;
o Arecommunicatedthroughouttheorganisationo Areusedtoreviewlocalprocessesandstructurestoenhance
informationgovernance
• ToreviewandpromoteInformationRiskawarenessandcontrol
• Considerandmonitortheimplementationofrecommendationsmadeinrelevantinternalauditreportsorothersourcesofassurance.
• Promoteandmonitorserviceuserfeedbackwithregardto
InformationGovernanceissues.
• Identifyingtrainingneeds,agreeingondeliverymethodandmonitoringprogress.
• Setthestrategicguidelinesforsharinginformationwithexternal
organisations.
• Consideranyrelevantissuesarisingfrompracticepolicyandnationalguidanceandtoalsoconsidertheimpact(includingrisksandresourcerequirements)ofstatedforthcominggovernmentpolicyandlegislation.
• Monitorandreviewthepolicy,policyandguidanceforthe
managementofrecordsinthepractice.
• Ensurethatthepractice,throughitsserviceareas,implementstheRecordsManagementpolicy(andotherrelatedpolicies)andprovidesguidanceonthedevelopmentandreviewoflocalsystems.
• Approvestandardsfortheformatandqualityofallrecords
includingwritingandcontent.
Version 0.1 28 Date
7.0 MEETINGS
7.1 TheGroupwillmeetevery6monthsunlessotherwiseagreedbytheChair.
7.2 TheChairoftheGroupmayalsoconvenespecialmeetings.
7.3 Venueswillbeagreedandnotifiedtomembersandasrelevant,toco-optedmembersandobservers.
7.4 TheGroupshalldeviseanannual“businesscycle”whichidentifiesthedatesofmeetingsandthematterswhicharetobeconsideredateachmeeting.8.0 QUORUM8.1 ThequorumwillbetwomemberswhichmustincludetheChairorViceChair.9.0 DECISIONMAKING
9.1 TheGrouphasjointandcollectiveresponsibilityforagreeingdecisions.Decisionsshallbereachedbyconsensuswherepossible,andwherethereisnotunanimousagreement,avoteshallbetakenandtheresultrecorded.TheChairshallhavecastingvotewhereapplicable.
9.2 Para9.1abovenotwithstanding,intheeventagreementcannotbereachedonaparticularissue,theChairmayopttoreferamattertothePartnersfordecision.
9.3 Co-optedmembersandobserversdonothavevotingrights.
9.4 IntheeventofanurgentdecisionbeingrequiredbetweenmeetingsonanymatterwithintheTermsofReferenceoftheGroup,theChairmaytake‘Chair’sAction’.Theactionwillbereportedtothenextmeetingforratificationandrecordedintheminutes/notes.10.0 PAPERS
10.1 TheagendaforeachmeetingwillbedevisedbythePracticeManagerandagreedwiththeChair.
10.2 Thedeadlineforagendaitemswillbecommunicatedpriortoeachmeeting,withanyurgentbusinessbeyondthedeadlinetobeagreedwiththeChairinadvanceofthemeeting.
10.3 Theagendaandassociatedpapers/documentsforeachmeetingwillbedistributedinadvanceofthemeetingtoallmembersandco-optedmembers.
Version 0.1 29 Date
10.4 Membershaveresponsibilitytomanagethepapers/documentsinaccordancewiththePractice’sRecordsManagementpolicy.
10.5 DraftMinutes/notesofeachmeetingwillagreedbytheChairbeforedistributiontothemembers.
10.6 AtthediscretionoftheChair,mattersofaconfidentialorsensitivenatureconcerninginformationwhichmaybeexemptfromdisclosureundertheFreedomofInformationActmaybecoveredundera“Part2”meetingoftheGroup.Ifa“Part2”meetingisheld,thefollowingshallapply:
(i) TheChairshallhavethepowertoexcludeanyfullmembersofthegroup
fromthemeetingprovidedthatthereareatleasttwomembersotherthantheChairpresent.
(ii) UnlessdeterminedotherwisebytheChair,papers&minutesofaPart2meetingshallbecirculatedtothoseattendingonly.
(iii) IntheeventofarequestmadeundertheFreedomofInformationActwhichispertinenttoPart2Grouppapers,adecisiononexemptionfromdisclosureshallbemadebytheChairinconsultationwiththeDataProtectionOfficer.Formallegaladviceshallbeobtainedifconsideredappropriate.
11. REPORTING
11.1 TheminutesofGroupmeetingsshallbeformallyrecordedandsubmittedtothePartners.
11.2 Copies of the approved agenda andminutes submitted for theGroupwill bepublishedonthepracticeshareddrive.(UnlesstheycontainpersonalorothersensitiveinformationexemptfromdisclosureundertheFreedomofInformationAct).
Version 0.1 30 Date
12.0 TERMSOFREFERENCE–RATIFICATIONANDREVIEW
12.1 TheTermsofReferencewillbeagreedbytheGroupandratifiedbythePartners.
12.2 TheTermsofReferencewillbereviewedannuallyorearlierattheChair’sdiscretion.
13.0 DISSOLUTION13.1 TheGroupmayonlybedissolvedwiththeagreementofthePartnersorbydefaultintheeventofthePracticeceasingtoexistasanindependent,statutorybody.Date:October2018